Note When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names with an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.

If you use the ACE CLI to configure a named object with special characters that the DM does not support, you may not be able to configure the ACE using DM.

Overview of the Admin Functions

Use the Admin tab to manage role-based access control, set up and view statistical data for the ACE appliance, and use troubleshooting tools for the ACE Appliance Device Manager.

Note Some of the Admin options might not be visible to some users; the roles assigned to your login determine which options are available.

Table 15-1 describes the options that are displayed when you click Admin.

Report a problem to the Cisco support line and generate a diagnostic package, access files from the ACE appliance for viewing or tracking, and replace all virtual context configurations with the CLI configurations from the ACE appliance

Controlling Access to the Cisco ACE Appliance

Access to ACE Appliance Device Manager is controlled using the same username and password that access the ACE appliance. This enables authentication to a local database or to an external RADIUS, TACACS+, or LDAP server. If you choose to authenticate using AAA and not the local database, you must configure AAA using the CLI. For details on setting up remote authentication using AAA servers, see the Security Guide, Cisco ACE Application Control Engine.

Note The ACE supports local user authentication using a local database on the ACE or through remote authentication using one or more AAA servers. AAA remote servers are grouped into independent groups of TACACS+, RADIUS, or LDAP servers. Authentication allows you to control user access to the ACE by requiring specification of a valid username and password, or no password verification. When you configure the ACE appliance from the CLI to support the user authentication and accounting functions, the Device Manager honors the tasks that are performed by the specified remote server. See the Security Guide, Cisco ACE Application Control Engine for details about authentication and accounting.

In addition, the role and domains that a user is associated with on a remote server will also honored by the Device Manager.

The ACE Appliance Device Manager does not configure AAA; instead, it uses role-based access control for access to features. When a user logs into the system, the specific tasks they can perform and areas of the system they can use are controlled by contexts, roles, and domains. If you need to restrict a user's access, you must first assign a role-domain pair.

The role assigned to a user defines the tasks a user can perform and the items in the hierarchy that they can see. Roles are either predefined or set up by the system administrator. Each role, user, and domain is associated with a context. Only roles and domains associated with the Admin context can see other contexts.See Understanding Roles for more information.

A domain is a collection of managed objects. When a user is given access to a domain, this acts as a filter for a subset of objects on the network which are displayed as a virtual context. The types of objects in the system that are domain controlled are:

•All objects listed below

•Access list—Ethertype

•Access list—Extended

•Class-map

•Interface VLAN

•Interface BVI

•Parameter-map

•Policy-map

•Probe

•Real server

•Script

•Server farm

•Sticky

Thus, role-based access control ensures that users can view only the devices or services or perform the actions that are included in the domains to which they have been given access.

Figure 15-1 Role-Based Access Control Containment Overview

The following is an example of role-based access control containment.

Domains

East Coast servers

Central servers

West Coast servers

Role

Web server administrator

Users

User A

User B

User C

Note Each association is one-to-many.

All other user interfaces, such as configuration, monitoring, and administration, respect this role-based access control policy:

•Roles limit the screens (or functions on those screens) that a user can see.

•Domains limit the objects that are listed on any screen that the roles allow.

•Users (other than the administrator) can create only subdomains of the domains to which they are assigned. However, no parent/child relationship is kept between domains.

•The system administrator user (Admin) can see and modify all objects. All other users are subject to the role-based access controls illustrated in Figure 15-1.

Types of Users

Two types of users configure and monitor the ACE appliance:

•Default user—Individuals associated with the data center or IT department where the ACE appliance is installed. The default administrative account (user ID admin) is a system user account that is preconfigured on the system. The admin user password is previously set when the system was installed. You can change the password for the admin user account in the same manner as any user password (see Managing Users).

Predefined system roles are specified in terms of roles, domains, and operations privileges. Each role can work with a specific set of operations and domains in a context.

•Assigned users—Users to whom you want to grant access to ACE appliance. You can assign users limited access by selecting roles and domains to which they belong. Users are not allowed to change to other contexts and can work with a specific set of operations and domains in the context in which they were created.

Understanding Roles

User roles determine the privileges that a user has, the features they can access, and the actions they can take in a particular context.

Cisco ACE appliance provides a set of predefined roles (see Table 15-2). Additional roles can also be defined by the system administrator. Roles are specified in terms of resource types and operations privileges known as rules. For each role, rules provide permissions about which resource types a role can work with and what operations a role can perform on each resource type.

Each user is assigned one role (Network-Monitor is the default) and inherit the operations privileges specified for each of the rules assigned to that role. Users are assigned one role. Each role can have different access privileges (in the form of rules) that are independent of other assigned roles.

The options a user sees in the menu are filtered according to that user's role.

Note If you need to restrict a user's access, you must assign a role-domain pair. Otherwise, no matter what roles the user may have, that user will not be able to access any specific resources, and, therefore, will have no powers on the system.

All users are strictly limited by the combination of their contexts, roles, and domains. For example, a user cannot create another user who has greater privileges or access or is outside their domain.

Roles cannot be deleted if they are currently referenced by a user. The predefined roles cannot be changed or deleted.

Understanding Operations Privileges

Operations privileges define what users can do in the designated context. There are two levels of access. The first level is the permit or deny permission. The second level is the operations privilege the user is permitted or denied from performing. For example, each feature on the ACE appliance has an assigned privilege. If a user's privileges are not sufficient, the feature will not be available to them. The following operations privileges can be permitted or denied from least to greatest privilege levels:

•Monitor—Allows the user to view statistics and specify parameter collection.

•Modify—Allows the user to change the persistent information associated with system objects, such as a configuration.

•Debug—Allows the user to collect information on existing problems.

•Create—Allows the user to control system objects, for example, creating them, enabling them, or powering up; also has delete permission.

Privileges are hierarchical. If a user has Modify privileges, they have Monitor privileges as well. If a user has Create or Debug privileges, they have Modify privileges as well. Only Admin has Resource Class Mgmt access.

Note The ability to create automatically contains the modify function, but the reverse is not true (a user with modify privileges cannot automatically create items).

Understanding Domains

Cisco ACE appliance provides a predefined default domain that contains all objects. You cannot modify or delete the predefined domain. Additional domains can be defined by the system administrator. A domain is a collection of managed objects to which a user is given access. By setting up a customized domain, you are filtering a subset of objects on the network. The user is then given access to this domain.

For example, a user can see only what is in the domain to which they have access (achieved through row filtering). If the default domain contains 50 objects and the customized domain, dom1, consists of the following domain objects: Rserver rs1, Rserver rs2, Serverfarm sf1, Serverfarm sf2, and Accesslist extended acl1, a user associated with domain dom1, can see only those five objects within the whole context.

The rows a user sees in any table are filtered according to the domain to which that user has access.

Note If you need to restrict a user's access, you must assign a role-domain pair. Otherwise, no matter what roles the user may have, that user will not be able to access any specific resources, and, therefore, will have no powers on the system.

Note The ACE supports local user authentication using a local database on the ACE or through remote authentication using one or more AAA servers. AAA remote servers are grouped into independent groups of TACACS+, RADIUS, or LDAP servers. Authentication allows you to control user access to the ACE by requiring specification of a valid username and password, or no password verification. When you configure the ACE appliance from the CLI to support the user authentication and accounting functions, the Device Manager honors the tasks that are performed by the specified remote server. See the Security Guide, Cisco ACE Application Control Engine for details about authentication and accounting.

In addition, the role and domains that a user is associated with on a remote server will also honored by the Device Manager.

Guidelines for Managing Users

•For users that you create in the Admin context, the default scope of access is for the entire ACE.

•If you do not assign a role to a new user, the default user role is Network-Monitor. For users that you create in other contexts, the default scope of access is the entire context.

•Users cannot log in until they are associated with a domain and a user role.

•You cannot delete roles and domains that are associated with an existing user.

Step 4 Click OK to delete the user account or Cancel to exit the procedure without deleting the user. If you click OK, the window refreshes with the Users table and the deleted user account no longer appears.

Ending Active User Sessions

When a user session is ended, the user is logged out of the interface from which the user session was initiated. If the user was making changes to a configuration, the configuration lock is released and any uncommitted configuration change is discarded.

If a user session is ended while an operation is in progress, the current operation is not stopped, but any subsequent operation is denied.

Note Your user role determines whether you can use this option.

Procedure

Step 1 Select Admin > Role-Based Access Control > Active Users.

Step 2 Select the table rows containing the user sessions to be ended.

Changing the Admin Password

Each ACE appliance has an admin user account built into the device. The root user ID is admin, and the password is set when the system is installed. For information about changing the Admin password, see Changing Your Account Password.

Managing User Roles

Use the Roles feature to add, modify, and delete user-defined roles. Predefined roles display with grey italic text and background and cannot be deleted or modified.

A user's role determines the tasks the user can access. Each role is associated with permissions or rules that define what feature access this role contains.

Guidelines for Managing User Roles

Use these guidelines to manage roles:

•Administrators can view and modify all roles.

•Other users can only view the roles assigned to them.

•You cannot change the default roles.

•Role permissions are different based on whether they were created in an Admin context versus a non-admin or user context. If you want to allow users to switch between contexts, ensure they have a predefined role. If you want to restrict a user to only their home context, assign them a customized user role.

•Certain role features are only available to default roles, for example, an Admin role in the Admin context would have changeto and system permissions to perform tasks like license management, resource class management, HA setup, and so on. User-created roles cannot use these features.

Understanding Predefined Roles

The predefined roles and their default privileges are defined in Table 15-4. This table includes rule changes for Admin and user contexts (non-admin contexts). For detailed information on role-based access control, see the Virtualization Guide, Cisco ACE Application Control Engine. For details on how the predefined roles are mapped to ACE Appliance Device Manager tasks/features, see Table 15-5.

You must have one of the predefined roles in the Admin context in order to use the changeto command (which allows users to visit other contexts). Non-admin/user contexts do not have access to the changeto command; they can only visit their home context. Context administrators, who have access to multiple contexts, must explicitly log in to other contexts to which they have access.

Table 15-4 Predefined Role Rules for Admin and User Contexts

Predefined Role/Context

Description

Operations

Features

Admin Role

Admin Context

If created in the Admin context, user has complete access to and control over all contexts, domains, roles, users, resources, and objects in the entire ACE.

•Debug

•Create

•Modify

•Monitor

•All (context service configuration)

•User Access (roles, domains, and users)

•System (context administration)

•changeto command (access to all contexts)

•exec command (enables all default custom role commands)

User Context

If created in a user context, user has complete access to and control over all objects in that context.

Role Mapping in ACE Appliance Device Manager

When you are logged into ACE Appliance Device Manager, you see the tasks that you have been given permission to access. Table 15-5 describes the predefined roles and the menu tasks and features available to those roles. Features and menus that are not applicable for your role will not display.

Since the predefined roles encompass all the role types you may need, we encourage you to use them. If you choose to define your own roles, be aware that rules features are not a one-to-one mapping from CLI feature to ACE Appliance Device Manager menu task.

Defining the proper rules for your user-defined role will require you to create a mapping between the features in Table 15-4 and the ACE Appliance Device Manager menu tasks. For example, in order to manage virtual servers, you must select the following six menu features (Real Servers, Server Farms, VIP, Probes, Load Balancing, NAT, and Interface) in your role.

Note There are certain features in the ACE Appliance Device Manager that do not have a corresponding feature mapping on the CLI. One example of this feature is class maps. To modify these features you need to select a predefined role that a contains at least one feature with the Modify permission on it.

For details on predefined roles and their default privileges, see Table 15-4.

RBAC User Role Requirements Related to Virtual Servers

If you want to create, modify, or delete a virtual server, we recommend that you use the pre-defined Admin role (see Table 15-4). Only the Admin pre-defined role supports the ability to successfully deploy a functional virtual server from the ACE appliance Device Manager.

If a user prefers to be assigned a custom role, and wants the ability to create, modify, or delete a virtual server, that user requires the proper role permissions to be defined by the administrator to allow them to perform those virtual server activities.

Note A user must be assigned with a default domain (default-domain) to be able to configure a virtual server. A domain is the namespace in which a user operates.

Note For a user with a customized role to perform configuration and operation changes from the ACE Appliance Device Manager, you must configure the role with rules that permit the create operation for the config-copy and exec-commands features.

Included below are a list of RBAC permissions which are required for a user to create, modify, or delete a virtual server:

---------------------------------------------

Rule Type Permission Feature

---------------------------------------------

1. Permit Create real

2. Permit Create serverfarm

3. Permit Create vip

4. Permit Create probe

5. Permit Create loadbalance

6. Permit Create nat

7. Permit Create interface

8. Permit Create connection

9. Permit Create ssl

10. Permit Create pki

11. Permit Create sticky

12. Permit Create inspect

Note that certain configured virtual servers may only cover a subset of the features and may not require all the permissions outlined above. In general, the above set of permissions are required for allowing users to configure all elements of a virtual server.

Displaying User Roles

Use this option to display the existing user roles.

Note Your user role determines whether you can use this option.

Procedure

Step 1 Select Admin > Role-Based Access Control > Roles. A table of the defined roles and their settings appears.

Step 2 You can use the options in this screen to create a new role, filter roles based on a string, or modify or delete any existing role to which you have access.

Creating User Roles

You can create new, user-defined roles. When you create a new role, you specify a name and description of the new role, then select the operations privileges for each task. You can also assign this role to one or more users.

Note Your user role determines whether you can use this option.

Procedure

Step 1 Select Admin > Role-Based Access Control > Roles. A table of the defined roles and their settings appears.

Step 2 Click Add. The New Role configuration screen appears.

Step 3 Enter the following attributes.

Table 15-6 Role Attributes

Attribute

Description

Name

The name of the role.

Description

A brief description of the role.

Step 4 Click Deploy Now to deploy this configuration. The new role is added to the list of user roles and the Rules table appears below the Roles form in the content area.

Step 5 Click Add to create rules for this role. This role inherits the roles of the user that created it.

Step 6 To alter rules, select changes to any of the following attributes.

Note For a user with a customized role to perform configuration and operation changes from the ACE Appliance Device Manager, you must configure the role with rules that permit the create operation for the config-copy and exec-commands features.

The Changeto feature allows you to move from the Admin context to another virtual context and maintain the same role with the same privileges in the new context that you had in the Admin context.

The Exec-commands feature enables all default custom role commands in the ACE. The default custom role commands are capture, debug, gunzip, mkdir, move, rmkdir, tac-pac, untar, write, and undebug.

1Certain features are not available for certain operations. For modify, the following features cannot be used: Change To Context, Config-Copy, DHCP, Exec-Commands, NAT, Real Inservice, Routing, and Syslog.

Guidelines for Managing Domains

•Devices and their components must already be configured in ACE Appliance Device Manager in order for them to be added to a domain.

•Domains are logical concepts. You do not delete a member of a domain when you delete the domain.

•Predefined domains cannot be modified or deleted.

•Normally, a user is associated with the default domain, which allows the user to see all configurations within the context. When a user is configured with a customized domain, then the user can see only what is in the domain.

Note To add objects to a customized domain, use the CLI and then use the synchronize feature in ACE Appliance Device Manager to add this object into its customized domain on ACE Appliance Device Manager. Adding objects to customized domains directly in ACE Appliance Device Managerresults in the object being added to the default domain.

Viewing ACE Appliance Server Statistics

Use this procedure to display ACE appliance statistics (for example, CPU, disk, and memory usage) and view them graphically.

Statistics collection is enabled by default and are collected and saved to database every 5 minutes after the device SNMP credential configuration passes validation and is saved. For a newly created virtual context, the only piece of information that you need to provide in order to start statistical collection is the SNMP community information in the Config > SNMP screen.

Using Admin Tools

Use these Admin Tools to perform troubleshooting and diagnostics tasks:

•Generating a Diagnostic Package—Use the troubleshooting and diagnostics tools provided by the Lifeline feature to report a critical problem to the Cisco support line and generate a diagnostic package.